How to protect water utilities against cybercrime

Last updated: 23 February 2023

The threat of cyberattacks and data breaches are now an almost inevitable element of the increasingly digital societies in which we live. This was highlighted in our recent Data Threat Report with almost a third of businesses (29%) experiencing a breach in 2021.

With that said, there are still areas you might think would be beyond the reach of cyber threat – mostly because many of us aren’t aware of the digitalisation that is completely redefining certain sectors. One such area that is more and more at risk are water utilities businesses.

I think back to the case of a hacker who had gained access to the water system in Florida in an, ultimately, failed attempt to poison the water supply, which is a worrying example of the risk posed to our most valuable infrastructure. This attempted attack, which was made by someone remotely accessing the water treatment system is just a microcosm of the wider threat landscape posed to entities that have made the shift from analogue to digital in the last few years.

The digitisation of water infrastructure

How can water infrastructure be prone to this sort of disruption? Well, it is often not talked about in the same way that the smart grid is, but water services have become more and more connected over the last few years.

It is now commonplace for smart water meters, controllers and sensors to be installed in homes. For water utilities companies, these devices can drive efficiencies and profitability across the network as they no longer need to regularly send out meter readers to gauge consumption. In turn, gathering this sort of data wholesale helps companies to better understand trends that can make the whole water network run better – such as spotting and fixing leaks.

For consumers, the benefits of a digitised network are also clear. Studies have shown that once people have sight of their usage, their consumption levels can come down by around 15%. Customers with connected water equipment can also benefit from more proactive client management – as water companies spot anomalies in their data – and quicker resolutions to issues.

Looked at together, it’s clear to see why water networks have pursued this shift to digitalisation over the last few years.

Digital services opening door to cyberattacks

At the same time, this network-wide digitisation of water infrastructure is a very appealing target to cybercriminals who can now cause disruption to services from the comfort of their own homes.

On a network level, the threat possibilities posed to water utilities can be tangibly worrying; the idea of someone getting control of the water grid to cause flooding or widespread contamination – as demonstrated above in the example of the Florida water network – is a very real fear that keeps CEOs awake at night.

Disconcertingly, incidents of network wide disruption are becoming more commonplace. Even in 2017, it was clear that the ever-growing connectivity of our water supplies was leading to increased attention from hackers. Back then, Eddie Habibi – founder of security firm PAS – posed a dire warning about the threat, saying: “Weapons of mass destruction don’t have to be physical bombs that move from one location to another—they can be these ticking bombs in these control systems that …cause severe damage and bring down the critical infrastructure of a country.”

At a consumer level, the threat to connected water appliances also continues to multiply as the number of these devices grow. In homes, hacked appliances can give all kinds of insights into the occupants’ lives – such as supplying bad actors with the opportunity to understand the habits of those who live there, and using that data to work out when they might be out of the house.

End-to-end security: a salve for threatened water networks

What this all serves to underline is just how important end-to-end security is in the water network. With possible attack vectors ranging from individual water meters all the way through to dam controls, there is a clear case for ensuring that all parts of the network are protected with a security-by-design methodology and cybersecurity built into every single sensor and module.

By giving a strong digital identity to water meters and the people dealing with them, and by encrypting all critical data travelling between ecosystem players, precious assets and data can be kept away from malicious eyes.

Many cyber attacks are all about data collection, so it is essential that water networks encrypt the personal information of their customers as it travels across their networks, as well as ensuring they authenticate and validate the users accessing their systems.

Not only that, but all parts of the ecosystem need to be updated throughout their life cycles – prematurely discontinuing patches and updates to devices can provide cybercriminals with a backdoor into the whole network.

The ever-digitisation of the water network has the potential to significantly improve the way our most precious asset reaches homes. This cannot be compromised by taking a lax attitude to the security of our critical infrastructure and there are many practical steps that water companies and utilities can take.

Leave a Reply

Your email address will not be published. Required fields are marked *